The Internet Watch Foundation (IWF), a UK-based charity devoted to the removal of child pornography – which it prefers to call 'child abuse' – has received 227 reports on this growing trend in the last six months. In a report published yesterday, it gave a specific example of a furniture website which "was hacked and a folder containing hundreds of child sexual abuse images was uploaded. These images were of the youngest children and the most severe levels of abuse."
Such orphan folders cannot be accessed from within the hacked website, and the hacked company may never notice the additional folder. Pedophiles who know the direct URL, however, have clear access.
It also seems to be used to trick other users into accessing the images. Adult sites containing legal material are also being compromised and their users redirected to the hidden orphan folders. "The administrators of the adult site and the hacked site would not know this is happening," reports the IWF; "a third party has set up the‘diversion’ from one site to another and planted the folder of images."
It seems likely that this is a method for recruiting new visitors to the illegal content, with the criminals relying on embarrassment from the visitors – who would have to admit to visiting legal porn sites – in order to remain below the radar. The weakness is that the orphan folders can then be located if the visitor makes a complaint.
“We’ve received reports from people distressed about what they’ve seen. Our reporters have been extremely diligent in explaining exactly what happened, enabling our analysts to re-trace their steps and take action against the child sexual abuse images," explains IWF technical researcher Sarah Smith.
Nevertheless, the IWF report is remarkably light on details. How were the various sites compromised? How does the IWF – and by implication, law enforcement – treat a site that has unwittingly stored illegal material? What are the legal ramifications for a user who accessed legal adult sites informing the IWF that he has found illegal material on his own computer? And what are the implications of this development for David Cameron's imminent opt-out ISP-operated porn filters?
Infosecurity called the IWF to discuss these issues, but did not get a response. Neira Jones, a partner with the Accourt consultancy, says that technically there's nothing new. "I remember talking at conferences in 2008," she told Infosecurity, "explaining how vulnerable environments can be hijacked by criminal organizations just so they can host their nefarious activities on legitimate servers without being noticed." Clearly nothing much has changed, which suggests that security warnings and advice are simply not getting through to small businesses.
"All too often," she added, "organizations think they couldn’t possibly be of interest to criminals ('I’m just a furniture shop…'), and this means that these organizations don’t have a handle on what their assets are (for example, physical assets such as servers, information assets such as customer databases, HR information, intellectual property, sales figures, and so on), and therefore they can’t possibly know what risk they face, and what they need to protect – and this could be very costly."
As for the porn filters – this demonstrates just one of the weaknesses highlighted in recent days. What is needed is a more secure internet, explained Ryan Dewhurst, a security engineer at RandomStorm. "Cameron’s pledge to protect UK citizens from online porn through automatic blocking will fail if a company’s website has flaws allowing it to be hacked and orphan folders used to host harmful or illegal images.” Put simply, an ISP cannot block a website just because it's a furniture store. "In my personal opinion," he added, "Cameron is going to have to backtrack on this measure as it is unworkable.”
Hacked websites with orphan folders containing illegal material is just one way that criminals can by-pass the filters.